Sunday, October 30, 2016

Chemical Mixing Incident

Earlier this week the Chemical Safety Board (CSB) announced that it was sending an investigation team to the site of a major chemical release in Atchison, KS that occurred on October 21st. The release was caused by the inadvertent mixing of two common industrial chemicals and resulted in a large chemical cloud sending hundreds to local hospitals with complaints of difficulty breathing.

The Incident

According to news reports (for example see here, here and here) the incident started at 8:00 am when a bulk chemical delivery was put into the wrong storage tank. The two chemicals involved were industrial strength bleach and sulfuric acid, both apparently being used in the facilities waste treatment plant. The chemical reaction between the two produced a large cloud of steam that also included chlorine gas, a byproduct of the reaction between the two chemicals.

There is no publicly available information about which chemical was being unloaded, but due to the odor of chlorine bleach being involved, I would guess that the delivery was sulfuric acid. Adding sulfuric acid to a bleach tank actually produces two separate reactions that would have contributed to the cloud.

First, since bleach is mainly water (only 6 to 12% sodium hypochlorite) the addition of sulfuric acid (which is typically shipped and stored at concentrations above 95% for safety reasons) produced a large amount of heat due to the ‘heat of dilution’. That heat and the lack of mixing would quickly raise the surface temperature of the bleach above the boiling point of water producing a large steam cloud. That steam cloud would be expected to contain trace amounts of unreacted bleach and sulfuric acid.

The chemical reaction between sodium hypochlorite and sulfuric acid produces chlorine gas and even more heat. The reaction is virtually instantaneous and consumes essentially all of which ever chemical is least available (typically the chemical being added to the tank because addition is usually stopped as soon as the steam cloud is observed). That is why I suspect that the sulfuric acid was being added to the bleach tank.

How Could This Happen?

This type of accident is way too common, especially at waste water treatment facilities. Such facilities typically rely on delivery drivers to unload bulk chemical shipments instead of facility personnel who would be more familiar with which tank contains which chemical. Hose connections are made from the delivery truck to piping that leads to the chemical storage tank. A single bulk truck unloading station typically has separate connections for each of the storage tanks at these facilities. Inadequate marking of the pipe connections, and/or inexperienced (for that facility) drivers results in the truck being hooked up to the wrong piping connection.

Larger chemical facilities avoid these types of incidents through a combination of personnel and design activities vetted through a chemical safety program under either the EPA’s Risk Management Program (RMP) and/or OSHA’s Process Safety Management (PSM) program. Typically, there are only a limited number of personnel on-site who are authorized to unload bulk deliveries of chemicals. They are specifically trained on the hazards associated with the bulk chemicals they will be handling, including the risks associated with mixing of chemicals in storage tanks, bulk unloading lines or hoses. Non-facility delivery drivers are never allowed to unload bulk chemicals without specific facility supervision.

Where there is a specific hazard from the mixing of chemicals being stored at that site (for example bleach and sulfuric acid) engineering measures are taken to prevent that mixing. The tanks may be located in separate tank farms, the bulk unloading lines may be physically separated at different unloading stations, or different types of hose connections are used with the unloading lines to make it more difficult to inadvertently mix those chemicals. Depending on the potential consequences involved (and this particular incident was nowhere near a worst-case incident) combinations of these and other engineering controls could be used.

The CSB Investigation

The CSB usually limits its investigations to larger more severe events that kill people or result in large scale damage. This is mainly due to their Congressional mandate, limited funds and limited personnel. Taking up this incident is almost certainly due to the amount of level of publicity related to the large cloud and how common this type of incident is.

Compared to other investigations this one should consume much less in the way of CSB resources. That does not mean that the report will be completed and published any sooner; the CSB will likely place a low priority on the completion of this investigation.

Saturday, October 29, 2016

Public ICS Vulnerability Disclosures – 10-29-16

This week saw a public disclosure of a control system security vulnerability at the 2016 Industrial Control Systems (ICS) Cyber Security Conference (the old Joe Weiss conference under new management). Indegy CTO Mille Gandelsman presented a talk, “Ghost in the Machine: SCADA Vulnerability Enables Remote Control of ICS Networks”, about a vulnerability in the Schneider UnityPro software platform. This was a coordinated disclosure with Schneider publishing a Security Notification concerning the vulnerability.

Reading the Indegy blog post about this vulnerability and then looking at the Schneider notification, it almost looks like the two organizations are looking at two separate vulnerabilities. Indegy describes the vulnerability consequences this way:

“The vulnerability in Unity Pro allows any user to remotely execute code directly on any computer on which this product is installed, in debug privileges. The vulnerable software tool is present in every control network in the world that uses Schneider-Electric controllers. Regardless of the SCADA/DCS applications in use, if Schneider Electric controllers are deployed, this software will be used on the engineering workstations. This makes this attack relevant across virtually any process controlled by these PLCs. Since Schneider Electric is one of the largest industrial control equipment providers, this vulnerability is a major concern.”

Schneider simply notes: “This vulnerability is made possible when no application program has been loaded in the simulator or when the application program loaded in the simulator is not password protected.”

Schneider has produced a new version of the software that mitigates the vulnerability. They still note that: “It is up to user responsibility to protect his application by a proper password.”

Schneider published their notification on October 14th and the Indegy presentation was made on October 25th. ICS-CERT has not yet reported on this vulnerability, though it has been widely reported in the press (see for example here and here).

Friday, October 28, 2016

DHS Publishes New CFATS Fact Sheet

Today without any specific notice the DHS Infrastructure Security Compliance Division (ISCD) published a link on the CFATS Knowledge Center for a new Chemical Facility Anti-Terrorism Standards (CFATS) Fact Sheet ‘Documentation’ section. This is not the latest version of the statistics on the implementation of the CFATS program (each also called ‘CFATS Fact Sheet’ by the way) that I routinely report on. Rather, it looks like a replacement for the 2012 ‘CFATS Trifold Brochure’. The link to that brochure is still active as of 22:30 EDT. The tri-fold brochure link has been removed from the ‘Documentation’ section of the CFATS Knowledge Center.

The CFATS Fact Sheet has also been printed as an article in the frequently asked questions section of the CFATS Knowledge Center. It can be found as Article 1775.

Nothing really new here. The new documents briefly describe the CFATS program. There is a brief new mention of the 2014 CFATS authorization legislation, but no discussion of the changes brought about by the law. Neither is there any mention of the on-going CSAT 2.0 implementation process.

Thursday, October 27, 2016

ICS-CERT Publishes Honeywell Advisory and ICS DDOS Warning

Today the DHS ICS-CERT published a control system security advisory for the Honeywell Process Knowledge System (PKS). They also issued a warning about the potential for distributed denial of service (DDOS) attacks on internet facing industrial control system products.

Honeywell Advisory

This advisory describes an improper input validation vulnerability in the Honeywell Experion Process Knowledge System (PKS) platform. This is apparently a self-reported vulnerability. Honeywell has produced patches to mitigate the vulnerability.

ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to prevent the Experion PKS client tools from uploading firmware to Series-C devices.

ICS DDOS Warning

ICS-CERT posted a very short and very generic warning about the potential for DDOS attacks on internet facing control systems or components thereof. This is based upon the US-CERT report about recent very large DDOS attacks. There is no information provided that indicates a specific threat against ICS.

ICSJWG Spring Meeting

ICS-CERT recently published a notice concerning the date of the 2017 Spring meeting of the ICSJWG in Minneapolis, MN over April 11th thru 13th, 2017.

Tuesday, October 25, 2016

ICS-CERT Publishes Siemens SICAM Advisory

Today the DHS ICS-CERT published a control system security advisory describing a denial-of-service vulnerability in Siemens SICAM products. The vulnerability was reported by Adam Crain of Automatak LLC. Siemens has produced a firmware update to mitigate the vulnerability. There is no indication that Adam has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to cause a denial of service. The Siemens Security Advisory reports that the vulnerability exist in the SM-2558 and SM-2556 IEC 60870-5-104 COM Modules used in the SICAM products.

Siemens announced their advisory on TWITTER® last Friday.

TSA Publishes 60-Day ICR Renewal Notice

Yesterday the DHS Transportation Security Administration (TSA) published a 60-day information collection request (ICR) renewal notice in the Federal Register (80 FR 73126-73127) to support the TSA’s Transportation Worker’s Identification Credential (TWIC) application and security assessment program. The request includes changes in the burden estimate and description of the affected individuals covered by the ICR.

Burden Estimate

The notice provides the numbers that will be included in the renewal that will be submitted to the OMB’s Office of Information and Regulatory Affairs (OIRA) after the public notice process is complete. There is no comparison provided with the currently approved ICR. The table below provides that comparison.

Burden Hours
Burden Cost

There is no specific explanation in the notice for the changes in the burden hours or burden cost. When no explanation (or even identification) of a change is made it is extremely difficult for the public to comment on the appropriateness (of either the magnitude or the necessity) of that change.

Other Changes

The notice changes the description of the information collection requirement. The new description now specifically mentions the Chemical Facility Anti-Terrorism Standards (CFATS) program:

“Also, individuals in the field of transportation who are required to undergo a security threat assessment in certain other programs, such as the Chemical Facility Anti-Terrorism (CFATS) program, may apply for a TWIC® and the associated security threat assessment to satisfy CFATS requirements.”

This addition reflects the recent notice the TSA’s description of the term ‘field of transportation’ that I have previously discussed. This had been alluded to in the justification memo that TSA submitted in supporting the currently approved ICR:

“There are also some worker populations in the non-maritime environment who may be authorized/required by TSA to obtain a TWIC given the nature of their work and required access to controlled areas/facilities.  These individuals would be required to complete the same enrollment process as the TWIC-maritime population.”

It will be interesting to see what estimates (if any) TSA provides for the number of CFATS related TWIC submissions. Again without TSA providing an explanation of how this change reflects the burden estimate, it is difficult to comment on this change in the burden.

The notice also briefly notes the following changes in the ICR:

• To expand enrollment options and the potential use of biographic and biometric (e.g., fingerprints, iris scans, and/or photo) information;
• To remove the requirement to collect information about the Extended Expiration Date (EED) TWIC; and
• To revise the fee collection for the TWIC® Program in light of changes to the fee the FBI charges for fingerprint processing (reduction of $2.75 per TWIC submission).

There is no explanation of how these changes will affect the burden estimates. TSA is not alone in their failure to provide detailed explanations for how changes in an ICR will affect the burden estimate; many (most) of the ICR notices that I review also do a poor job of explaining what they are doing. It makes providing effective comments on such notices very difficult. I do not really think that the agencies are trying to avoid having to respond to comments. It is just simpler to create short, boiler-plate ICR notices. And most of the public does not pay attention to ICR notices in any case.

Public Comments

The TSA is soliciting public comments on this ICR. Comments may be submitted via the Federal eRulemaking Portal (; Docket # TSA-2006-24191). I will be submitting a copy of this blog post as comment.

Saturday, October 22, 2016

CSAT 2.0 Update – 10-21-16

Yesterday the DHS ICS-CERT made some additional changes to the CFATS Knowledge Center page in support of their on-going implementation of revisions to the Chemical Facility Anti-Terrorism Standards (CFATS) program’s Chemical Security Assessment Tool (CSAT) known as CSAT 2.0. Those changes centered on removing links to the older CSAT documents in the ‘Documentation’ section at the bottom of the page.

Documents Removed

The documents removed included:

This links were still good as of 7:30 EDT this morning. If you need copies of these documents for historical purposes you need to get them as soon as possible. There is no telling how long these documents will remain.

Old Documents Still Remaining

The ‘Documentation’ section of the CFATS Knowledge Center has been getting kind of bloated over time. There are a number of useful documents listed here that cannot be found anywhere else on the site without the links provided here. There are, however, a number of documents that could still be removed. Those include:

The CFATS Quarterly is not the most recent (the April 2016 issue is also listed and I have not seen anything more recent). It might be nice to have a CFATS Quarterly web page where links to all of the issues might be found, but only if these are going to be released on a routine (quarterly?) basis. The two CFATS fact sheets are from somewhere in the middle of this series of documents; a similar historical web page might be of limited use. The personnel surety program (PSP) documents are dated, they could be better listed on PSP website under an historical documents listing. And the last is a link to a website not a ‘document’ and that page is already listed on the CFATS landing page.

Thursday, October 20, 2016

ICS-CERT Publishes Moxa Advisory

Today the DHS ICS-CERT published a control system security advisory for a privilege escalation vulnerability in the Moxa EDR-810 Industrial Secure Router. The vulnerability was reported by Maxim Rupp. Moxa has produced a new firmware version to mitigate the vulnerability. There is no indication that Rupp has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could use publicly available information to remotely exploit this vulnerability to escalate privileges, initiate a denial-of-service condition, and execute arbitrary code.

PHMSA Sends Two Pipeline Safety Rules to OMB

On Tuesday the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) sent two pipeline safety rulemakings to the OMB’s Office of Information and Regulatory Affairs (OIRA) for approval. The first was an interim final rule; Pipeline Safety – Underground Storage Facilities for Natural Gas. The second was a final rule; Pipeline Safety – Safety of Hazardous Liquid Pipelines.

Underground Storage Facilities

This is a brand-new rulemaking that first showed up in the Spring 2016 Unified Agenda. According to the abstract:

“PHMSA has safety authority over the underground storage facilities used in natural gas pipeline transportation, but has no safety regulations in the DOT Code (49 CFR part 192) that apply to the downhole underground storage reservoir for natural gas. PHMSA is planning to issue an interim final rule to require operators of underground storage facilities for natural gas to comply with minimum safety standards, including compliance with API RP 1171, Functional Integrity of Natural Gas Storage in Depleted Hydrocarbon Reservoirs and Aquifer Reservoirs, and API RP 1170, Design and Operation of Solution-mined Salt Caverns Used for Natural Gas Storage. PHMSA is considering adopting the non-mandatory provisions of the RPs in a manner that would make them mandatory, except that operators would be permitted to deviate from the RPs if they provide justification.”

Congress has not specifically required DOT to regulate natural gas underground storage facilities, but this rulemaking relies on the general authority provided to the Secretary under 49 USC 60102(a)(2) to establish safety standards for “pipeline transportation and for pipeline facilities”. The impetus for establishing this interim final rule is almost certainly the 2015 Aliso Canyon leak.

It looks like PHMSA has tried to avoid complaints about midnight rule making by requiring implementation of voluntary industry standards. If the Republicans retain control of both the House and Senate, I suspect that there might be an attempt to over-turn this interim final rule if it is published before the end of the Obama Administration. It is also possible that OIRA will not act on this rulemaking before the next Administration is inaugurated.

Hazardous Liquid Pipelines

The new hazardous liquid pipeline safety rulemaking was begun in 2010 with an advance notice of proposed rulemaking (ANPRM). The notice of proposed rulemaking (NPRM) was published just over a year ago. Since this rulemaking has a long history it is unlikely that it would receive any special congressional attention in the next session.

Wednesday, October 19, 2016

CSAT 2.0 Update – 10-19-16

Today the DHS Infrastructure Security Compliance Division (ISCD) continued updating their Chemical Facility Anti-Terrorism Standards (CFATS) program web pages to reflect the on-going implementation of their Chemical Security Assessment Tool (CSAT) 2.0. Today’s changes were mostly housekeeping with no new information.

The vast majority of the changes made today were adding links for the previously published CSAT 2.0 Portal User Manual and the CSAT 2.0 Survey Application User Manual. Links had previously been provided on the CFATS Knowledge Center web page. Interestingly, I recently learned that that is the only page that ISCD actually controls. It seems that some higher-level organization (probably the National Protection and Programs Directorate – NPPD) within DHS has an office that maintains web pages for subordinate offices.

There were some deletions from the web sites. These deletions were also housekeeping in nature. For example, the CFATS Tiering Methodology web page had the links removed for registration to participate in last week’s two webinars on the CSAT 2.0 Application, the Top Screen and SVA-SSP tools. I would have wished that they had replaced those with links to the recorded version of the webinars. Here are the links that I have for those webinars (they are still active as of the writing of this post):

Note: These are all presented using Adobe Connect so Adobe Flash Player must be enabled to view the webinars. I know…. I really wish that the DHS cybersecurity folks would explain the security problems with Flash Player to the DHS management so that some other presentation tool would be used.

ICS-CERT Publishes Schneider Advisory

Yesterday the DHS ICS-CERT published a control system security advisory for the Schneider Electric PowerLogic PM8ECC device. The vulnerability was reported by He Congwen. Schneider has produced a patch that mitigates the vulnerability. There is no indication that Congwen has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to gain access to configuration data on the device. The Schneider Security Notification (note: there are currently problems with this link which may explain why it was not included in the ICS-CERT Advisory) for the vulnerability explains that exploiting the vulnerability will provide the attacker with ‘special user’ data that would allow the attacker to login to the device with full administrator access.

Monday, October 17, 2016

CSAT 2.0 Update – 10-17-16

Today the DHS Infrastructure Security Compliance Division (ISCD) made changes to the Chemical Security Assessment Tool (CSAT) website in its further implementation of CSAT 2.0 that started earlier this month. Today’s changes included two new web pages and the publication of a link to the new SVA-SSP manual that was announced earlier on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center.


While the initial phases of the CSAT 2.0 rollout focused on the new Top Screen, ISCD has also made significant changes to the security vulnerability assessment (SVA) process and site security plan (SSP). Since a large portion of the earlier SVA process has been shifted to the new Top Screen the SVA has been reduced in scope and essentially combined with the SSP submission.

The CSAT web page now contains links to two new pages; one for the new SVA-SSP tool, one outlining changes to the SVA and SSP portion of that tool. The first provides a brief description of the new SVA-SSP tool and provides the official link to the new manual (through the typical DHS web site transition page). The second page provides a little more detail about new questions in the SVA portion of the tool and the more extensive changes in the SSP portion of the tool.

SVA-SSP Implementation

Facilities that complete the new Top Screen will end up in one of three general categories. The first (and largest) will be the facilities that will be notified that they are not considered to be at high-risk of terrorist attack and thus not covered by the CFATS program; they will not have to worry about the SVA-SSP. The second (probably the smallest group) will not have been covered by the CFATS program on October 1st, but will now (because of new information and/or the new risk assessment process) be notified that they are required to submit an SVA-SSP within 120 days. The largest group will be facilities currently under the CFATS program (and most likely with a submitted, authorized, or approved SSP). Those facilities will have to make a facility by facility determination of whether or not they will have to revise their current SSP.

The middle group of facilities will continue to have the existing options for submission of Alternative Security Plans (ASP) or Expedited Approval Plans (EAP). Facilities notified of Tier IV ranking will be able to complete an ASP in lieu of the SVA and SSP. Facilities ranked I Tiers I thru IV may submit either an ASP or EAP in lieu of the SSP. These facilities will be given 120 days from the date of their notification letters to submit the new SVA-SSP.

Existing CFATS facilities that receive new notification letters confirming that they remain in tiered status will be told which chemicals of interest (COI) and security measures they are being tiered for. If the facilities existing SSP (submitted, authorized or approved) does not adequately cover the listed chemicals or security measures, the facility will have to submit a revision to their SSP.

In CSAT 1.0 there was an SSP revision tool and manual. There is not currently such a manual printed for CSAT 2.0. At least initially it looks like SSP revisions will be submitted using the new SVA-SSP tool. The SVA-SSP revision page notes that:

“For facilities that have previously submitted the SVA and SSP, the majority of their previously submitted information will be pre-populated into the new survey. Although CSAT 2.0 drastically reduces the number of overall questions, the tool includes some new questions and sections, which are outlined below to help facilities that fall into categories 1 and 2 above revise their surveys in an effective and efficient manner.”

New Cyber Questions

There are many new questions and I will be addressing some of them in future blog posts. Today I will briefly mention the new cybersecurity related questions for the SVA and SSP identified on the SSP Revisions page.

For the SVA portion of the tool, the new page notes that there are new questions for: “Identifying cybersecurity measures and vulnerabilities in cybersecurity”. That would be question #2.50.040. The response (pg 7) provides for a 4,000-character description of the “cybersecurity measures and any identified vulnerabilities found while doing this analysis.”

The SSP portion of the tool will retain the cybersecurity questions found in the previous SSP. Four new questions have been added; two questions addressing whether or not there are control systems and/or business systems that directly affect the security of listed COI. There is a follow-up question for each identifying the specific covered cyber systems at the facility.

For control systems question Q3.40.400 specifically notes that:

“Defining cyber control systems for your facility should be limited to those systems that have the ability to control the process and could result in a release or contamination of COI.”

For business systems question Q3.40.420 specifically notes that:

“Cyber business systems include those systems that manage ordering, shipping, receiving, and inventory of chemicals of interest and those systems that are connected to or manage physical security systems, control systems, and other critical systems.”

Friday, October 14, 2016

ICS-CERT Publishes One Update and Seven Advisories

Today the DHS ICS-CERT published an update for a control system security advisory for a product from Siemens originally published in August. It also published seven new control system security advisories for products from:

• Kabona;
• Fatek Automation;
• Moxa;
• Rockwell;
• Siemens; and
• OSIsoft

Siemens Update

This update provides additional information on the affected versions of the Siemens SINEMA Server and provides a link to a new version of the affected software. Siemens published a new version of their Security Advisory on Wednesday.

Kabona Advisory

This advisory describes multiple vulnerabilities in the Kabona AB WebDatorCentral (WDC) application. The vulnerabilities were reported by Martin Jartelius and John Stock of Outpost 24. Kabona has produced an update to mitigate the vulnerabilities. ICS-CERT reports that Jartelius has verified the efficacy of the fix.

The vulnerabilities include:

• Cross-site scripting - CVE-2016-8356;
• Open redirect - CVE-2016-8376; and
• Improper restriction of excessive authentication attempts - CVE-2016-8347

ICS-CERT reports that it would be relatively easy to craft and exploit, but a social engineering attack would be required to remotely exploit these vulnerabilities to obtain data from the web server application and redirect users to other potentially malicious pages.

Fatek Automation Advisory

This advisory describes multiple vulnerabilities in the Fatek Automation PM and FV Designer applications. The vulnerabilities were reported by Ariele Caltabiano (kimiya) through the Zero Day Initiative (ZDI). ICS-CERT notes that Fatek has not published an update and that ZDI has already published their 0-day notice on the vulnerabilities (ON SEPTEMBER 21st) after coordination with ICS-CERT.

The vulnerabilities include:

• Improper restriction of operations within the bounds of a memory buffer - CVE-2016-5796;
• Stack-based buffer overflow - CVE-2016-5798; and
• Buffer overflow - CVE-2016-5798 (No I didn’t copy this wrong, the same CVE number is used twice in the Advisory)

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to perform a number of malicious actions including denial of service and arbitrary code execution.

Moxa Advisory

This advisory describes multiple vulnerabilities in the Moxa ioLogik E1200 series applications. The vulnerabilities were reported by Alexandru Ariciu of Applied Risk. Moxa has produced a new version of the firmware that mitigates the vulnerabilities. ICS-CERT reports that Ariciu has verified the efficacy of the fix.

The vulnerabilities include:

• Cross-site scripting - CVE-2016-8359;
• Insufficiently protected credentials - CVE-2016-8372;
• Weak password requirements - CVE-2016-8379; and
• Cross-site request forgery - CVE-2016-8350

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to remotely execute arbitrary code, modify parameters and settings, or reset the device.

Rockwell Advisory

This advisory describes multiple vulnerabilities in the Rockwell Automation Allen-Bradley Stratix industrial switches. These vulnerabilities are self-reported and are based upon the recently reported Cisco IOS and IOS XE vulnerabilities. Rockwell has produced a new version to mitigate these vulnerabilities.

The vulnerabilities include:

• Information exposure through error message - CVE-2016-6393;
• Improper input validation - CVE-2016-6382 and CVE-2016-6385; and
• Protection mechanism failure - CVE-2016-6380.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to affect the availability of the affected products via memory exhaustion, module restart, information corruption, or information exposure.

NOTE: As usual when a vulnerability is based upon problems with third party software, I have to wonder what other vendor products might be using the same software and thus have the same problem.

Siemens SIMATIC Advisory

This advisory describes twin vulnerabilities in the Siemens SIMATIC STEP 7 (TIA Portal). The vulnerabilities were reported by Dmitry Sklyarov and Gleb Gritsai from Positive Technologies. Siemens has produced a new version to mitigate these vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The vulnerabilities include:

• Inadequate encryption strength - CVE-2016-7959; and
• Cryptographic issues - CVE-2016-7960

ICS-CERT reports that it would be difficult to craft a working exploit for these vulnerabilities and it would require local access to the systems. An exploit would allow an attacker to access sensitive information contained in TIA Portal project files.

Siemens Advisory

This advisory describes multiple vulnerabilities in the Siemens Automation License Manager (ALM). The vulnerabilities were reported by Sergey Temnikov and Vladimir Dashchenko from Kaspersky Lab. Siemens has produced a new version to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The vulnerabilities include:

• Resource exhaustion - CVE-2016-8563;
• SQL injection - CVE-2016-8564; and
• Path traversal - CVE-2016-8565

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to upload files, change configuration settings, or create a denial-of-service condition. The Siemens Security Advisory reports that a successful exploit would allow an attacker to obtain write access to the hard disk.

OSIsoft Advisory

This advisory describes a permission vulnerability in the OSIsoft PI Web API. The vulnerability is self-reported by OSIsoft, though the OSIsoft Security Advisory notes that the problem was reported by a customer. OSIsoft has produced a new version to mitigate the vulnerability.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to view or alter PI System data.

ISCD Updates Top Screen – CVI FAQ

Yesterday the DHS Infrastructure Security Compliance Division (ISCD) updated their response to one of their frequently asked questions (FAQ) on the CFATS Knowledge Center page. The latest update to FAQ # 1586 was a change in the URL for the Chemical Vulnerability Information (CVI) training page. That minor change is the reason that there was no new ‘Latest News’ entry for this FAQ response revision.

Change in CVI Training Requirements

The real news for this FAQ should have been a discussion when it was last revised last February. The FAQ originally (published in May 2009) described the CVI Authorizing Statement that was part of the initial sign on to the Top Screen page. That Statement was the abbreviated CVI training that was required for the Top Screen; full CVI training was not required until the facility received their initial notification letter that, as a result of the review of their Top Screen, they had been designated a covered facility under the Chemical Facility Anti-Terrorism Standards (CFATS) program.

The new Chemical Security Assessment Tool (CSAT) Portal User Manual (issued as part of the CSAT 2.0 rollout) makes it clear that completion of the CVI training is required before CSAT registration can be completed. The old manual (published in 2009) did not even mention CVI, much less require CVI training before registration. Apparently, sometime between 2009 and February of this year when FAQ #1586 was last updated, there was a change in the registration process that required CVI training before the Top Screen could be completed.

CVI-CSAT Linkage

Another interesting thing is found in a note at the bottom of the response to FAQ #1586:

“Note: The email address associated with the CVI Authorized User training record must match the email address associated with the CSAT User Account in order to complete synchronization between the user’s CVI and CSAT accounts.”

This is not mentioned in the new CSAT Portal User Manual.

This could cause some problems for people who completed their CVI training before they started work at the organization for which they are requesting CSAT access. For example, I completed my CVI training in 2007 using my personal email account. Since most organizations frown on (or outright prohibit) using personal rather than corporate email accounts for conducting company business, it looks like I would have to re-do my CVI training using a new corporate email address prior to registering as a CSAT user in a new company.

It is possible that a call to the CFATS Help Desk {(866) 323-2957} could resolve the problem if it arises.

Wednesday, October 12, 2016

ICS-CERT Publishes Sierra Wireless Alert

Today the DHS ICS-CERT took the unusual step of issuing a control system security alert for a ‘vulnerability’ being self-reported by the vendor. ICS-CERT reports that Sierra Wireless has issued a technical bulletin [.PDF Download] describing mitigation measures that owners can take to stop the Mirai malware from infecting AirLink gateways that are using the default ACEmanager password and are reachable from the public internet.

ICS-CERT is careful to note “that there is no software or hardware vulnerability being exploited in the Sierra Wireless devices by the Mirai malware”. The problem is in configuration management; using the default password.

It is nice to see that a vendor is taking specific steps to identify problems in configuration management for their products that allow an outside agency to take control of those products to become part of a botnet. And to further share that information with ICS-CERT to help get the word out is something to be commended. It would sure be nice if all vendors were so proactive.

WaterISAC ICS Cybersecurity Guide

Thanks to Bridget O’Grady over at the ASDWA’s SecurityNotes blog for pointing at the updated WaterISAC cybersecurity guide; “10 Basic Cybersecurity Measures: Best Practices to Reduce Exploitable Weaknesses and Attacks”. While the overview of the 10 measures is written at a fairly high-level of generality (a good overview for upper management), each of the 10 sections is accompanied by links to a number of supporting documents from such organizations as ICS-CERT, NIST and SANS. That alone makes this a very valuable reference document.

While all 10 of the cybersecurity measures are important, I would like to add my 2 cents worth on measure number 8 in this document; “Implement an Employee Cybersecurity Training Program”. Time and again we have seen that one of the easiest ways for an attacker to get past security measures is through social media attacks against system users, administrators and management. Organizations that implement an annual ‘read and understand’ training program are doing little to protect their employees against such attacks.

A cybersecurity training program must include detailed classroom presentations about corporate security policies, security programs and individual responsibilities in those programs as well training in recognizing and reporting suspicious emails. While on-line training courses may have some value, face-to-face classroom presentations are typically more effective in communicating the importance of cybersecurity to the organization. This is particularly true when the organization takes the time and expense of ensuring that their training presenters have the tools (effective training materials, expertise, and presentation training) necessary to present effective classes.

But effective training cannot be limited to just periodic classes. There needs to be an ongoing communication from a designated management representative about the importance of cybersecurity, the current state of cybersecurity in the industry and the organization, and the sharing of news about updates on vulnerabilities and attacks.

Finally, consider the use of a social media attack incentive program. Conduct periodic in-house phishing attacks. Give small rewards and recognition to employees that report such attacks (and special, high-level recognition to employees that report real, out-side phishing attacks) and consider the use of system shutdowns for employees that fall for the training attacks. Those shutdowns would need to include a one-on-one review of why the attack succeeded before system access is restored.

For training to be effective, it must be repetitive, targeted and ongoing. And the only way to know if it is actually effective is if the training is evaluated through end-of-training testing and periodic real-world follow-up assessments.

Tuesday, October 11, 2016

DHS Retrospective Review of Existing Regulations

Today the Department of Homeland Security published a notice in the Federal Register (81 FR 70060-70061) requesting public input into the Department’s periodic retrospective review of existing regulations. The regulations included in this review are found in the following Code of Federal Regulations chapters:

This includes the following regulations that may be of specific interest to readers of this blog:

• 6 CFR Part 27 - Chemical Facility Anti-Terrorism Standards
• 6 CFR Part 29 - Protected Critical Infrastructure Information
• 33 CFR Subchapter H - Maritime Security (Parts 101 - 107)
• 33 CFR Subchapter L - Waterfront Facilities (Parts 125 - 128)
• 33 CFR Subchapter N - Dangerous Cargoes (Parts 140 - 149)
• 33 CFR Subchapter O - Certain Bulk Dangerous Cargoes (Parts 150 - 155)
• 49 CFR Part 1520 - Protection of Sensitive Security Information
• 49 CFR Part 1572 - Credentialing and Security Threat Assessments
• 49 CFR Part 1580 - Rail Transportation Security

DHS notes that:

“DHS will afford significantly greater weight to feedback that identifies specific regulations, includes actionable data, or provides viable alternatives that meet statutory obligations and regulatory objectives. Feedback that simply states that a stakeholder feels strongly that DHS should change a regulation, but does not contain specific information on how the proposed change would impact the costs and benefits of the regulation, is much less useful to DHS. DHS is looking for new information and new economic data to support any proposed changes.” [emphasis in original]

DHS is soliciting public comment based upon specific principles and proposes a series of potential questions that such comments should address. Written comments can be submitted via the Federal eRulemaking Portal (; Docket # DHS-2016-0072). Comments should be submitted by November 11th, 2016.

Friday, October 7, 2016

Explosives Precursor Meeting Announced – 10-26-16

Today the National Academies of Sciences, Engineering and Medicine announced the first open session meeting of the Study Committee on “Reducing the Threat of Improvised Explosive Device Attacks by Restricting Access to Chemical Explosive Precursors”. The meeting will be held on October 26th, 2016 in Washington, DC.

The newly selected chair of the Committee, Victoria Greenfield, will open the meeting. David Wulf, the Infrastructure Security Compliance Division (ISCD) Director, will then outline the purpose of the study. This will be followed by a panel discussion looking at the potential scope of the problem. The panel will consist of:

• Patrick Starke, DHS;
• Kevin Sheehan, FBI;
• Col. Bradley B. Preston, DOD Joint Improvised-Threat Defeat Organization; and
• Special Agent Will McCrary, DOJ Bureau of Alcohol, Tobacco, Firearms and Explosives

There will be a brief public comment period at the end of the meeting. The announcement did not include mention of any provisions for providing written comments.

The meeting is open to the public, but due to limited seating, advance registration is recommended.

NOTE: DHS noted that on Tuesday the Academies had completed the selection of the Study Committee. No announcement has yet been made about who was selected for that Study Committee.

CSAT 2.0 Update – 10-07-16

I just finished a conversation with David Wulf, the Director of the DHS Infrastructure Security Compliance Division, and some of his staff about the roll out of the new Chemical Facility Anti-Terrorism Standards (CFATS) risk assessment methodology and the associated changes in the Chemical Security Assessment Tool (CSAT) known as CSAT 2.0.

New Top Screen

DHS has already sent out the first set of notification letters directing facilities to submit new Top Screens. Wulf expects to send out 700 to 800 letters every two weeks for at least the next year or so. Simple math would indicate (and Wulf confirmed) that ISCD would be sending Top Screen notification letters to facilities that had previously submitted Top Screens but had been notified that they were not considered to be at high-risk of terrorist attack and thus not covered under the CFATS program.

ISCD is also taking a slightly different tack than they have used in earlier rollouts in the selection of current facilities that will receive their notification letters. Previous CSAT roll outs have focused on the highest risk facilities first. For CSAT 2.0 ISCD is sending letters out in each batch to a mixture of Tier 1, Tier 2, Tier 3, Tier 4, and uncovered facilities.


ISCD expects to send out the first notification letters based upon Top Screen 2.0 results sometime after the first of the year. Some existing facilities will Tier out of the CFATS program because the new risk assessment methodology will no longer rate them at high-risk facilities. Those facilities will no longer be covered by the CFATS program.

Other existing facilities will be notified that their Tier assignments have changed. Those notification letters will indicate which areas of their existing (authorized or approved) site security plans (SSP) will need to be changed to reflect those changes. Deadlines will be provided for the required SSP edits.

Facilities that are notified that they are now covered by the CFATS program will be given 120 days to submit the new SVA/SSP. Those two previously separate tools have been combined into a single submission document.

Expanded CFATS Coverage

Wulf does expect the number of covered CFATS facilities to increase as a result of this new risk methodology and re-contacting facilities that had previously submitted Top Screens. Just how many new facilities might be involved is hard to say. A certain proportion of those facilities will no longer have inventories of DHS chemicals of interest (COI) [NOTE: Facilities that receive notification letters will still need to submit Top Screens even if they do not have current inventories of COI.] Those facilities will almost certainly not be brought into the CFATS process.

Some facilities will have increased their COI inventory levels or added new COI. They should have already submitted Top Screens when those inventory changes were made. Fortunately for those facilities, the way the Top Screen is written there is no attempt made to chase back when those inventories were increased. That means that notified facilities do not need to worry about ISCD taking regulatory action against them for not making timely notifications as long as the file their new Top Screens within the 60-day time limit from the date of the notification letter.

There will still be some facilities with no changes in COI inventory that will now be covered by the CFATS program because of the different risk assessment methodology. Wulf expects that the number of new CFATS facilities will not be overly large.

ASP and EAP Not Affected

The new CSAT 2.0 will not affect the use of the Alternate Security Program (ASP) or the Expedited Approval Program (EAP). Those alternatives to the SSP will still be available for selected facilities. Even if the EAP is not used, facilities will find the EAP guidance document valuable for helping them select appropriate security measures to include in their SSP.

ICS-CERT publishes GE Advisory

Yesterday the DHS ICS-CERT published a control system security advisory for an improper authorization vulnerability in the GE Bently Nevada 3500/22M monitoring system. Apparently this is a self-reported vulnerability. GE has produced a new firmware version to mitigate this vulnerability. ICS-CERT had previously published this advisory on the US-CERT Secure Portal on September 8th.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to gain unauthorized access to the affected device with elevated privileges.

Thursday, October 6, 2016

ISCD Publishes CFATS Advisory Page

Today the DHS Infrastructure Security Compliance Division (ISCD) added a new page to their Chemical Facility Anti-Terrorism Standards (CFATS) program web site. The new CFATS Advisory page was announced on the CFATS Knowledge Center web page. As of this evening the new page is not listed on the CFATS landing page; I expect that that will change tomorrow.

Like most regulatory agencies, ISCD has been asked to clarify certain aspects of how the agency interprets the regulations that they enforce. Starting today ISCD is publicly publishing those interpretations that they believe would be of interest to other members of the regulated community. They are starting with three advisories published yesterday:

CFATS ADVISORY OPINION 2016-001 - RBPS-12 Background Check Requirements for Legacy Employees;  
CFATS ADVISORY OPINION 2016-002 - “A Commercial Grade” Interpretation; and
CFATS ADVISORY OPINION 2016-003 - “Transportation Packaging” Interpretation 

Background Check Requirements

The first opinion actually dates back to May of this year, when ISCD sent the letter attached to the opinion to a CFATS covered facility. It addresses the issue of whether or not long-term legacy personnel are required to be vetted under the background check requirements of 6 CFR §27.230(a)(12). The opinion clearly states:

“The Department of Homeland Security’s longstanding position and interpretation of 6 C.F.R. § 27.230(a)(12) is that background checks are required to be conducted for all facility personnel with access to restricted areas or critical assets at high-risk chemical facilities, regardless of their length of service, as described in more detail in the attachment.”

While the opinion does not separate out any of the specific background checks required under subparagraph (12), the attached letter makes it clear that it specifically does apply to the background checks conducted by the facility under (12)(i), (12)(ii) and (12)(iii) since the facility is not currently covered under the Terrorist Screening Database (TSDB) vetting conducted by DHS under the DHS personnel surety program (PSP).

A Commercial Grade

The list of DHS chemicals of interest (COI) that triggers the reporting requirement for the CFATS Top Screen includes a column that lists the minimum concentration of the COI that must be included in determining if the facility has a screening threshold quantity (STQ) that would require reporting to DHS. For most chemicals that concentration, but for many it is listed as ACG – ‘a commercial grade’. This second opinion explains that ISCD uses two criteria for determining if a chemical meets the ACG standard:

(1) any concentration of a COI that is available in trade or commerce under the name of that COI; or
(2) any mixture of a COI that poses the same or similar security risks for which the COI is listed in Appendix A

This is based upon the words ‘quality’ and ‘concentration’ used in the definition of ‘a commercial grade’ in §27.105.

Transportation Packaging

Facilities are only required to count inventories of theft/diversion COI that are in ‘transportation packaging’. That term is not specifically defined in §27.105. This opinion quotes the preamble to the CFATS Appendix A final rule (72 FR 65395-65435), explaining that ISCD is using the DOT definition of ‘packaging’ found in 49 CFR §171.8 and the minimum requirements for that packaging found in §173.24(b).

The opinion notes that there is one important difference between the DOT regulations and the DHS interpretation of those regulations as it applies to the term ‘transportation packaging’. A DOT packaging that has been modified so that it no longer meets the standards of §173.24(b) if that modification could easily be reversed. The example provided in the opinion is removing a lid from the packaging, but it would almost certainly include adding a hose connection to process equipment when acting as a temporary storage tank for the process.


I am glad to see ISCD making these advisory opinions publicly available. I am quite sure that they have been providing this type of information in response specific questions from regulated facilities since the program began in 2007. Making the information publicly available will help ensure that the entire regulated community has a better understanding of how ISCD is overseeing the implementation of the CFATS program.

I am glad to see that ISCD is providing more details outlining their reasoning in establishing these opinions than they do in their responses to their frequently asked question found on the CFATS Knowledge Center. The discussions in these opinions are more like the ‘articles’ that are also listed in the FAQ section.

Needless to say, I will be watching this page for additional opinions and will report on them as they are published.

Wednesday, October 5, 2016

ICS-CERT Publishes Medical Device Advisory

This morning the DHS ICS-CERT published a medical control system advisory for multiple vulnerabilities in the Animas OneTouch Ping insulin pump system. The vulnerabilities were reported by Jay Radcliff of Rapid7 (Note: ICS-CERT does not credit Jay, just Rapid7). Animas (a subsidiary of Johnson and Johnson) has published compensating controls, but will not (apparently) be releasing a patch or new version to mitigate the vulnerabilities. Animas is directly notifying patients and health care professionals about the vulnerabilities and compensating controls.

The vulnerabilities reported are:

• Cleartext transmission of sensitive information - CVE-2016-5084;
• Use of insufficiently random values - CVE-2016-5085; and
• Authentication bypass by capture-replay - CVE-2016-5086

While ICS-CERT reports that detailed “vulnerability information is publicly available that could be used to develop an exploit that targets these vulnerabilities”, they claim that it would take a skilled attacker to remotely exploit the vulnerabilities. This may because an RF transceiver and relatively close access (normally 10 meters) would be required to exploit these vulnerabilities.

Rapid7 published their report on these vulnerabilities on their web site on September 28th. The Animas patient letter was dated yesterday.


I noted in a TWEET® this morning: “Inefficient but effective workarounds, how about an update to correct the problem? Or would that require complete redesign?” ICS-CERT briefly addresses this efficiency issue by noting that the “compensating controls may impact device functionality”. Radcliffe reminds us in the Rapid7 report that:

“First, know that we take risks every day. We leave the house. We drive a car. We eat a muffin. We guess the amount of carbs. All entail risk. This research uncovers a previously unknown risk. This is similar to saying that there is risk of an asteroid hitting you, a car accident occurring or miscalculating the amount of insulin for that muffin you ate. Some of those risks are low (asteroid) some are high (insulin). This knowledge of risk allows individuals to make personal decisions. Most people are at limited risk of any of the issues related to this research. These are sophisticated attacks that require being physically close to a pump. Some people will choose to see this as significant, and for that they can turn off the rf/remote features of the pump and eliminate that risk.”

Individuals can assess their personal risk that someone would conduct an attack on their person using these vulnerabilities to personally harm them by inducing hypoglycemia through an insulin overdose; most people would rate this risk of a personal attack as very low. What would be harder for an individual to assess is the risk of someone using this set of vulnerabilities to conduct an attack on Animas or Johnson and Johnson. Even a small number of publicized attacks on individual OneTouch Ping system owners could have a very serious financial impact on Johnson and Johnson in both liability costs and negative publicity costs. Individual device owners would probably have a difficult time assessing that risk to the operation of their insulin pumps. What is sad is that I suspect that Johnson and Johnson have not really evaluated the possibility of that sort of a corporate attack since their advisory letter sounds as if it had been written by the sales department, not the legal department.

ICS-CERT Updates 2 Siemens Advisories and Publishes 2 New Advisories

The DHS ICS-CERT recently updated two control system security advisories for products from Siemens (the two I briefly discussed last week). Yesterday they also published two new control system security advisories for products from Indas and Beckhoff.

Siemens SIMATIC Update

This update adds new information for an advisory originally published in July and then updated in August. It provides updated affected version information for SIMATIC WinCC v7.0 SP3 and SIMATICS PCS 7 v8.0. It also provides update links for SIMATIC WinCC v7.0 and SIMATICS PCS 7 v7.2 and v8.0.

Siemens glibc Update

This update adds new information for an advisory that was reported in April and updated once in June and then again in July. It provides updated affected version information for SCALANCE M-800/S615. It also provides a link for a patche for those affected SCALANCE M-800/S615 products.

INDAS Advisory

This advisory describes a path traversal vulnerability in the INDAS Web SCADA application. The vulnerability was reported by Ehab Hussein of IOActive. INDAS has produced a new version of the software to mitigate the vulnerability, but there is no indication that Hussein has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to download arbitrary files from the target system.

Beckhoff Advisory

This advisory describes two vulnerabilities in the Beckhoff Embedded PC Images and TwinCAT Components. The vulnerabilities were publicly reported in February of 2015 at the 1st International Conference on Information Systems Security and Privacy by Marko Schuba from FH Aachen University of Applied Sciences (there may be an earlier report). In 2014 Beckhoff produced a new version of the software and published three security advisories (here, here, and here) to mitigate the vulnerabilities, but there is no indication that Schuba has been provided an opportunity to verify the efficacy of the fixes.

The vulnerabilities described in the advisory are:

• Improper restriction of excessive authentication attempts - CVE-2014-5414; and
• Exposed dangerous method of function - CVE-2014-5415

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to gain unauthorized access to systems or read and manipulate transmitted information, especially passwords. Interestingly ICS-CERT does not apparently consider the formal academic paper on these vulnerabilities to be a public exploit that “specifically target these vulnerabilities”.

Tuesday, October 4, 2016

ISCD Publishes Ammonium Nitrate FAQ

Today the DHS Infrastructure Security Compliance Division (ISCD) published a new frequently asked question (FAQ) on the CFATS Knowledge Center web site. FAQ #1773 addresses the confusion about the way solid ammonium nitrate is described in the DHS chemical of interest (COI) list.

The COI lists solid ammonium nitrate as “Ammonium nitrate, solid [nitrogen concentration of 23% nitrogen or greater]”. The phrase ‘nitrogen concentration of 23% nitrogen or greater’ has caused some confusion since nitrogen is 22% of the number of atoms in an ammonium nitrate molecule or 32.6 wt% of the ammonium nitrate molecule.

The new FAQ #1773 asks: “In calculating whether a facility has a Screening Threshold Quantity (STQ) of solid ammonium nitrate in a mixture, does the facility look at the percentage of the nitrogen in the mixture or the percentage of the ammonium nitrate in the mixture?”

The response explains that the ‘33%’ listed in the concentration column of the COI list shows the minimum concentration of ammonium nitrate in a mixture that would make the total weight of that mixture count towards determining if the screening threshold quantity (STQ) for ammonium nitrate (2,000 lbs) has been met. It specifically states: “Facilities should NOT use the nitrogen concentration in a mixture to determine whether the mixture meets the minimum concentration requirements to be counted towards the STQ.”

Monday, October 3, 2016

CSAT 2.0 Update – 10-03-16

On Friday the DHS Infrastructure Security Compliance Division (ISCD) updated a number of their Chemical Facility Anti-Terrorism Standards (CFATS) program reflecting the implementation of the new Chemical Security Assessment Tool (CSAT) 2.0. The big news is that as of Saturday, October 1st, ISCD is re-instating the Top Screen submission requirements for facilities that have new inventories (in the last 60 days) of DHS chemicals of interest (COI) [NOTE: this re-instatement date was actually included in the initial CSAT 2.0 Federal Register announcement.]

CFATS Landing Page

The CFATS landing page included a brief note about the re-instatement of the To Screen submission requirement. They noted that:

On October 1, 2016, the requirement to submit Top-Screens will be reinstated. Chemical facilities of interest that have not previously submitted a Top-Screen, but which have come into possession of reportable amounts of COI, must submit a Top-Screen within 60 days. Additionally, in the coming months, DHS will be reaching out directly to CFATS chemical facilities that have previously submitted Top-Screens to DHS and require that they submit a new Top-Screen using CSAT 2.0. However, facilities may choose to proactively resubmit a Top-Screen once the new tool is available and prior to receiving the individual notification.”

This same verbiage was included on a number of other CFATS related pages.

Interestingly, the list of ‘Key Documents’ on the bottom of the pages does not include the three new manuals that I mentioned on Friday morning.

CFATS Knowledge Center

The CFATS Knowledge Center added two new items in the ‘Latest News’ section. The first provided a link to another new document in the ‘Documentation’ section; the CFATS Tiering Methodology Fact Sheet (more on this later). The second item is a very lengthy discussion entitled “Chemical Facility Anti-Terrorism Standards Program Reinstates Top-Screen Requirement with Release of CSAT 2.0”. It would have been nice to see this as a separate document that would remain available on the web site for a longer period of time.

CFATS Tiering Methodology

Most of the changes to the Tiering Methodology page were discussed here Friday. The new item on Saturday was a link to the fact sheet mentioned above. Actually it is the same document but a different link. Why ISCD made the decision to store this document on two different pages, I have no idea.

This fact sheet is the first time that DHS has provided any kind of information about how the risk analysis process is used to determine if an individual chemical facility presents the high-risk of terrorist attack that would require coverage by the CFATS program and how the covered facilities are placed in their Tier rankings.

There is not really anything here that anyone with a background in security risk analysis would not have already guessed was included in the risk analysis process. I would bet that most of this was included in the old risk analysis process. The details of the analysis process are still classified, but this new fact sheet does provide some low level of insight into the new process.
/* Use this with templates/template-twocol.html */